Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.

If you rtfa, the software (trojan) has to be installed somehow. The payload has to get on a computer and be executed.

FTFA: The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert.jar files into.exe files, to add program icons and version information, and protect and encrypt Java programs...However, we’ve seen only the PC version in a downloader/dropper in the wild.

Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.

I got one. Before I got here, an unpatched system, possibly with some default passwords, was tossed on the Internet (presumably for updates/downloads) and was compromised. After cutting off all Internet access to/from it, there hasn't been another problem. Of course it was later wiped. It was only used for warez by whoever compromised it.

Not that I'm saying that it's common or uncommon or anything about frequency. But you seemed to indicate that it was essentially impossible, and I know that to be unt

And noscript is not used by the "patients" who need it most, and are the main targets of botnet operators.Even if you pwn a noscript user, that user is far more likely to notice that he/she is infected, and eventually fix that. These users are the minority, so the botnet operators don't care.

FWIW, I've written a cross platform agent (unix/linux) that scans for hardware/software, connects to a remote server, and can download new instructions. This is legit, for work and is for admins to do software and hardw

i've become quite accustomed to typing sudo in front of everything these days.. i'm sure i'd be vulnerable to this if i didn't also watch what i clicked (or watched the computer's response to things i most certainly didn't click)

...What do you need to use sudo for other than installing apps, starting services, or mounting stuff? I certainly hope you wouldn't sudo before running some random crap you got in an email attachment or something. Only times I ever sudo are to install software from trusted repositories, to run scripts that I wrote myself (generally for sshfs mounts) and to start services that were installed from trusted repositories.

So long as Nvidia's FTP server doesn't get hacked and I download a messed-with driver, I'm pretty safe.Only/one/ java applet ever runs through firefox: Runescape. Outside of that, Noscript blocks it all.I think I may have one or two other Java programs that run as user... but still, trusted software.

I am a linux user but the wife prefers Windows. On her Windows box I have installed Secunia PSI [secunia.com] which automatically updates most of the third party software on the system. If it does not update something, it informs her so she can do it manually.

You mean "Windows excels in that part of the attack vector a decade ago" FTFY. Seriously people Vista has been out nearly FIVE years, Windows 7 now for TWO years, did the DOS jokes continue into 2005?

So the moral of the story little childrens is this: stop running decade old shite and if you ARE gonna run decade old shite have a fricking brain about it and run a decent free AV (I'd recommend either Avast or Comodo as both have default sandboxing) along with not running every damned bit of code found in the

Heck, no need to make it a virus: Just add good functionality to your botnet client, and people will/intentionally/ install it!Think: Do you know many people who wouldn't give up some cpu cycles and bandwidth if it meant, say, easier torrents or the latest movies/music easily downloadable? What about a really nice screensaver?I think the next wave of malware will be things that get the user to install it... and/keep/ it installed!

Think: Do you know many people who wouldn't give up some cpu cycles and bandwidth if it meant, say, easier torrents or the latest movies/music easily downloadable? What about a really nice screensaver?I think the next wave of malware will be things that get the user to install it... and/keep/ it installed!

At least it would be more functional than most of Sony's offerings! Ba-dum-pum.

I agree, Windows has slowly become more secure. Not quite there yet, but a lot better than what it used to be. The largest part of the attack vectors, however - as you suggest at the end of your post - is still mostly Windows for the moment, though: stupid users. An onfortunate, but as logical as it is damaging consequence of that, is stupid admins.

And right there is going to be the eternal damnation of the computer world: the users. Oh, how wonderful our job would be without them. That is, if there would b

Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.

Or you can have a program that causes mischief while just running as a normal user. For example, it could participate in DDoS attacks or distributed hack attempts on a third party, or it could act as a file server for various types of nefarious data, or be part of a C&C network, or... There's a lot of things these systems can do without attacking the host per se, and for which running without significant privileges isn't a problem. (If it claimed to be a bittorrent client, it would even be awkward for m

...but uses source code and libraries that can operate on other platforms,

Read that again. Source code.

Also from the article:

The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert.jar files into.exe files,...

In other words, it may be source compatible with Linux but there is no Linux binary in the wild. The jar files might run on Linux but the key component needed to download and install it is a Windows binary.

Had the summary comment been "No mention of a Linux installer", it would be more clear. Saying there is no "Linux version" implies that you would need a special version of the software for linux, which is not true. The fact that this malware does not require platform specific versions is what makes it interesting, so saying (even unintentionally) that there is no linux version seems silly.

Additionally, All of my applications -- Especially Java (iced tea), runs as a user of the same name & group. So, EG: my Java App called JOGL-BlockDrop is run as jogl-bd and only has access to jogl-bd or jogl-bd-perm grouped files, and that group is not allowed to make UDP or TCP connections (I give per application / group access to my network via iptables).

Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.

In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.

Thus it's called a Trojan - not a virus. It won't self-replicate and transmit to computers on other OSes as well...

You completely missed the point. On linux it is NOT a trojan since tricking the user into
running it does not result in a successful exploit. The admin would have to install it intentionally. Again, nice try, but understanding the subject matter beats reading a summary every time.

You don't enable or disable Java. If it's installed on your system, it's available to use. You can, however, enable or disable the Java applet plugin for your web browsers, which is probably what you're talking about and isn't necessarily what this is about (TFA didn't mention applets or browsers). Java applications (not applets) can run on your system as long as you have Java installed, regardless of whether you have the browser plugins enabled or not, just like how you can open a PDF if Adobe Reader is installed, regardless of whether you have the Adobe Reader browser plugin enabled or not. So in theory, if they found an attack vector for your OS, having the Java plugin disabled wouldn't stop this from running on your system at all.

Getting it onto your system is the trick, though. If they found a hole in the Java plugin's sandbox, they could potentially exploit that using an applet and get the code onto your system. Disabling the plugin prevents that possibility, but if they were trying to push this via browsers there are lots of other plugins and holes are found in browsers all the time.

That being said, I don't bother with the Java plugin either, because applets are crap and I have no use for them and agree with you about sites requiring them (and I'm a full-time Java developer)

It only takes being discovered once to have it removed from the app store, and hence not reasonably installable. Imagine how many pieces of malware would exist on Windows if MS actively and persistently vetted all software... It would probably tend towards zero.

Wouldn't any OS API exploit allow said -now deleted- program from installing a real root kit within something that apple can't just wave a magic wand to clean up? One of the hardest entry vectors for virus writers is to run binaries on hardware. Since Apple's platform is one universal hardware platform, its a lot easier to exploit a single weakness for large impact effects.

The only "security" iOS has is that you have to shell out $100/year to be a developer. Gives great protection against hobbyist programmers, does absolutely nothing against the Russian mafia.

Oh god, are you trying to tell me the billion fart apps, soundboards and shitty glorified flash applets from the early 2000s are written by professional programmers? Or that hobbyists don't have 100$ a year to spare for their hobby? Say it ain't so!:(

I got a machine rootkitted a few months ago, and it apparently came in through Exim. Took some time to clean up the mess, and then discovered that the hoster set up the preinstalled Debian with their own copy of the security repositories. They had some problem around that time and were running a few days behind - the original repos already had an update for the packages. One more thing added to my checklist when setting up a new machine.

So yes, there definitely is malware out there in the wild. Not keeping

Indeed... what amazes me is how many people still fall for the old tricks. I guess there really isn't any antivirus that protects against stupid.

I'd be willing to bet OpenBSD is pretty tough... though, it still suffers from the weakest link (the user.) Here's to hoping the average OpenBSD user isn't as stupid as the average Mac/Windows/Ubuntu user.:)

OpenBSD tough? Perhaps, although unlikely to be any more secure than NetBSD or FreeBSD, given that much of the security work that goes into one of them ends up in all three. As for robust, well that's another matter. Because it's a low priority in the OpenBSD world, scalability and performance is poor, which means it's easier to DOS a machine running OpenBSD than an equivalent one running Net or Free.

Wasn't this posted here a while back? I think it does run on Windows, Mac and Linux, but tests showed that Linux is the only platform that doesn't allow it to restart after a reboot. Can't find the story, could be wrong.

I used to run one of those what is my IP sites. Now it's IPv6 only because various botnets started (ab)using it. I get a few thousand hits by "Apache-HttpClient/UNAVAILABLE (java 1.4)" pr. hour. Other AV vendors have known for a while, searching for my sites lists several (not mcafee) who lists my site as something the bots use.

> Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms..

Is there a working demo in the wild that I can click on and get rooted on other non-Windows platforms?

How imaginative. Why, when this fallacious "reasoning" defeated in every single slashdot story in which it comes up, do people persist in trying to promote this myth? You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time (which incredibly, I do know of at least one person who does -- but it's rare).

I'm not really disagreeing with you, but not knowing linux I don't see why this is true. It seems to me that you can't really unwittingly run arbitrary code on windows and that any of the applications/settings that negate this would be just as big a problem on linux.

Great, since you clearly know why it is so, perhaps you could explain it to us mere mortals that are perfectly happy using only one OS. My opinion matters, my information however is undependable because I didn't provide anything. Wolfing's opinion also matters but hi information is also undependable because he didn't provide any either.If you're going to to state an opinion, you probably want to back it up when queried on it. Very few people should believe a statement that says "This is true because it is".

You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time

Last I checked, most Linux distros don't have noexec on home, so you most certainly can install and run arbitrary code without having root. It's slightly more of a hurdle in that email attachments and downloaded files won't be immediately executable.

Then again, in Ubuntu, for example, downloading a.deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the.deb can run anything it wants as part of that installation, with root permissions t

Last I checked, most Linux distros don't have noexec on home, so you most certainly can install and run arbitrary code without having root.

If that's the whole story and you're so knowledgeable then prove me wrong by whipping up a little malware for Linux and post the link so I can try it out. Oddly, after several years of proposing this obvious way to prove that "point", not one person has done it. Must not be as easy as you like to imagine.

If you want to see HOT NAKED LESBIANS though, I'll be happy to give you the link: right here [slashdot.org].

If it doesn't work, it's because your firewall blocks it. It's because your Ubuntu Linux, being such a secure OS as you surely know, is highly efficient at blocking various things deemed undesirable. Makes sense, right? But if you want to see HOT NAKED LESBIANS, you'll need to disable it just for this occasion. Luckily this is very easy to do. Just go to Applications -> Utilities

You didn't ask malware for Gentoo, though. You asked malware for Linux. 70% of Linux boxen out there run Ubuntu, and probably a half of people who run them don't know what they're doing (judging by the number of people burned every time someone posts a fork bomb or rm carefully disguised inside some Perl ASCII graphics).

I think my original point stands though. If it's so easy to compromise Linux, why isn't it being done? Why can't the very people who like to crow about how easy it is (and even hurl accusations of "security through obscurity") just put up or shut up?

I think we both know the answer to that. The PEBKAC is still there for the average user, no matter which system they use. But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions. But it's still fairly trivial to generate windows malware, going by the sheer volume of infected machines. I personally have one person in my contacts running win7 whose machine is spamming me daily. Oops. Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for. When that's gone, they'll move on to other scams (assuming OS X has been locked down, otherwise that's hanging a bit low as it is). They will not learn to be 1337 for reelz and finally code that Linux virus. That's not the criminal MO.

Then again, in Ubuntu, for example, downloading a.deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the.deb can run anything it wants as part of that installation, with root permissions too.

Bullshit, you'll get a gksudo prompt, assuming you have sudo privileges at all.

linux is user-friendly if all you want to do is browse, tweet, IM or email.

as soon as you try anything else, you're in "this is unsupported. it's not our fault. there's a patch here, or is it here. you'll have to recompile the kernel, then recompile ALSA, then compile and install wineasio, jack-dev, and wine-dev, then configure everything. oh, you mean you're not running this really old kernel? well, there's no k

The problem with your BS MR AC, is this: Those servers? they actually have these things called "admins" that make many thousands of dollars and are sent to classes and things like Black hat to stay on top of the game, whereas with Windows you have the nice little old lady down the hall that still can't figure out the difference between memory and hard drive space.

Think of it THIS way MR AC: Which would be easier to rob, the bank in the middle of Paduka AR with one old guy that hasn't fired a gun in 30 years

You've only looked at the two extremes. What about all the companies running plain-jane Linux servers with access to all their VoIP accounts and/or file shares? What about all the websites that aren't run by megacorporations with a team of uber-leet admins watching it like a hawk? And what about all the Windows servers that ARE watched like a hawk by uber-leet admins but get broken into anyways?

Guys, guys... He did it intentionally as part of the IRONY! If he were really mistaking pi for e, he wouldn't be able to type the word "slashdot" in his browser to access this website.His message here (not that I necessarily concur) is: "User 2.7182 is so stupid that he put this number as his username believing it was pi!"

It is funny how the "They don't attack X because it's not popular" meme keeps popping up, no matter how often people show how wrong it is.

My favorite approach for debunking it is to point out that apache has been the overwhelmingly dominant web server since 1996 (according to Netcraft), and web servers are one of the most inviting targets that the computer business has to offer. But how many actual exploits have ever appeared for apache? When was the last story of a worm, virus, whatever making the roun

Beyond this, the bot doesn't need root privs to run under the logged in user... The only reason for the root escalations in windows is to work around the antivirus programs that are more common in windows... targeting a platform without active av is easier.. I'm surprised there aren't more mac trojans currently.